search

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.42k stars 2.12k forks source link

Unauthenticated access is not supported for this identity pool / The ambiguous role mapping rules denied this request #8644

Closed florianbepunkt closed 1 year ago

florianbepunkt commented 3 years ago

Before opening, please confirm:

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

``` # Put output below this line System: OS: macOS 10.15.7 CPU: (16) x64 Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz Memory: 253.73 MB / 32.00 GB Shell: 5.7.1 - /bin/zsh Binaries: Node: 14.15.4 - ~/.nvm/versions/node/v14.15.4/bin/node Yarn: 1.22.10 - ~/.nvm/versions/node/v14.15.4/bin/yarn npm: 7.20.0 - ~/.nvm/versions/node/v14.15.4/bin/npm Browsers: Chrome: 92.0.4515.107 Firefox: 89.0.2 Safari: 14.1.2 npmPackages: @types/jest: 26.0.23 => 26.0.23 @types/node: 15.3.0 => 15.3.0 (14.17.6) jest: 26.6.3 => 26.6.3 (26.6.0) lerna: 4.0.0 => 4.0.0 prettier: 2.3.2 => 2.3.2 ts-jest: 26.5.6 => 26.5.6 typescript: 4.3.5 => 4.3.5 npmGlobalPackages: @types/node: 15.6.1 generator-serverless-policy: 3.1.0 i18next-parser: 4.1.1 lerna: 4.0.0 npm-check: 5.9.2 npm: 7.20.0 serve: 12.0.0 serverless: 2.52.0 ts-node: 10.0.0 typescript: 4.3.2 yarn: 1.22.10 yo: 4.2.0 ```

Describe the bug

I use a Cognito user pool and an identity pool. A user is assigned a group with a IAM role. This group IAM role allows access for a Rest API.

I can sign in using the "@aws-amplify/auth" package. After signing in await Auth.currentAuthenticatedUser(); returns the current user.

However, after sign in, when calling await Auth.currentAuthenticatedUser(); I get the following error: NotAuthorizedException: Unauthenticated access is not supported for this identity pool

This happens (see logs) because the credentials for the role cannot be loaded and, as a fallback, the user is treated as a guest. Sadly I have no idea what ambiguous role mapping means and I could not find anything helpful in the docs.

Expected behavior

await Auth.currentAuthenticatedUser(); should return the authenticated user

Reproduction steps

  1. Create a user pool (Software MFA mandatory) with a client
  2. Create an identity pool with the previously configured user pool as auth provider
  3. In the identity pool provider setting, set choose role from token (see screenshot) Bildschirmfoto 2021-07-27 um 15 33 04
  4. create a basic role for authenticated and unauthenticated user (I used the default Cognito wizard suggested)
  5. In the user pool create a group and associate a IAM role with it (with access to some S3 bucket or Api gateway)
  6. Use @aws-amplify/auth package to set up sign in
  7. After sign in call await Auth.currentAuthenticatedUser(); in separate function, e. g. a function bound to a button click

Code Snippet

// Put your code below this line.

Log output

``` // Put your logs below this line [DEBUG] 36:11.162 AuthClass - getting current credentials ConsoleLogger.js?1ea0:127 [DEBUG] 36:11.163 Credentials - getting credentials ConsoleLogger.js?1ea0:127 [DEBUG] 36:11.163 Credentials - picking up credentials ConsoleLogger.js?1ea0:127 [DEBUG] 36:11.163 Credentials - getting new cred promise ConsoleLogger.js?1ea0:127 [DEBUG] 36:11.164 Credentials - checking if credentials exists and not expired ConsoleLogger.js?1ea0:127 [DEBUG] 36:11.164 Credentials - need to get a new credential or refresh the existing one ConsoleLogger.js?1ea0:127 [DEBUG] 36:11.164 Credentials - no credentials for expiration check ConsoleLogger.js?1ea0:127 [DEBUG] 36:11.164 AuthClass - Getting current user credentials ConsoleLogger.js?1ea0:127 [DEBUG] 36:11.165 AuthClass - Getting current session ConsoleLogger.js?1ea0:139 [DEBUG] 36:11.166 AuthClass - Getting the session from this user: CognitoUser {username: "REDCATED", pool: CognitoUserPool, Session: null, client: Client, signInUserSession: CognitoUserSession, …} ConsoleLogger.js?1ea0:139 [DEBUG] 36:11.166 AuthClass - Succeed to get the user session CognitoUserSession {idToken: CognitoIdToken, refreshToken: CognitoRefreshToken, accessToken: CognitoAccessToken, clockDrift: 0} ConsoleLogger.js?1ea0:139 [DEBUG] 36:11.166 AuthClass - getting session success CognitoUserSession {idToken: CognitoIdToken, refreshToken: CognitoRefreshToken, accessToken: CognitoAccessToken, clockDrift: 0} ConsoleLogger.js?1ea0:127 [DEBUG] 36:11.166 Credentials - set credentials from session ConsoleLogger.js?1ea0:139 [DEBUG] 36:11.407 Credentials - Failed to load credentials Promise {: NotAuthorizedException: The ambiguous role mapping rules for: cognito-idp.eu-central-1.amazonaws.co…}[[Prototype]]: Promise[[PromiseState]]: "rejected"[[PromiseResult]]: NotAuthorizedException: The ambiguous role mapping rules for: cognito-idp.eu-central-1.amazonaws.com/REDCATED denied this request. at eval (webpack-internal:///../../node_modules/@aws-sdk/client-cognito-identity/dist/es/protocols/Aws_json1_1.js:821:68) at step (webpack-internal:///../../node_modules/@aws-sdk/client-cognito-identity/node_modules/tslib/tslib.es6.js:129:23) at Object.eval [as next] (webpack-internal:///../../node_modules/@aws-sdk/client-cognito-identity/node_modules/tslib/tslib.es6.js:110:53) at fulfilled (webpack-internal:///../../node_modules/@aws-sdk/client-cognito-identity/node_modules/tslib/tslib.es6.js:100:58) ConsoleLogger.js?1ea0:139 [DEBUG] 36:11.408 Credentials - Error loading credentials NotAuthorizedException: The ambiguous role mapping rules for: cognito-idp.eu-central-1.amazonaws.com/REDCATED denied this request. at eval (webpack-internal:///../../node_modules/@aws-sdk/client-cognito-identity/dist/es/protocols/Aws_json1_1.js:821:68) at step (webpack-internal:///../../node_modules/@aws-sdk/client-cognito-identity/node_modules/tslib/tslib.es6.js:129:23) at Object.eval [as next] (webpack-internal:///../../node_modules/@aws-sdk/client-cognito-identity/node_modules/tslib/tslib.es6.js:110:53) at fulfilled (webpack-internal:///../../node_modules/@aws-sdk/client-cognito-identity/node_modules/tslib/tslib.es6.js:100:58) ConsoleLogger.js?1ea0:139 [DEBUG] 36:11.408 AuthClass - getting session failed NotAuthorizedException: The ambiguous role mapping rules for: cognito-idp.eu-central-1.amazonaws.com/REDCATED denied this request. at eval (webpack-internal:///../../node_modules/@aws-sdk/client-cognito-identity/dist/es/protocols/Aws_json1_1.js:821:68) at step (webpack-internal:///../../node_modules/@aws-sdk/client-cognito-identity/node_modules/tslib/tslib.es6.js:129:23) at Object.eval [as next] (webpack-internal:///../../node_modules/@aws-sdk/client-cognito-identity/node_modules/tslib/tslib.es6.js:110:53) at fulfilled (webpack-internal:///../../node_modules/@aws-sdk/client-cognito-identity/node_modules/tslib/tslib.es6.js:100:58) ConsoleLogger.js?1ea0:127 [DEBUG] 36:11.408 Credentials - setting credentials for guest ConsoleLogger.js?1ea0:139 [DEBUG] 36:11.484 Credentials - Failed to load credentials Promise {: NotAuthorizedException: Unauthenticated access is not supported for this identity pool. at eval…} ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

miekassu commented 2 years ago

Sadly I have no idea what ambiguous role mapping means and I could not find anything helpful in the docs.

Ambiguous Role Resolution is setting in Identity Pool.

If no rules match, the role resolution will be invoked. By default, it will fall back to the default role specified for this Identity Pool. You can also choose to DENY the request.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html#cfn-cognito-identitypoolroleattachment-rolemapping-ambiguousroleresolution

Error NotAuthorizedException: The ambiguous role mapping rules is referring that any of the given rules don't match. Request should be denied, but this error is thrown.

This is not amplify-js specific issue, since I'm having same error while using CDK. I think this is bug 🐛 in Identity Pool service itself

tannerabread commented 1 year ago

@florianbepunkt I know this is an old issue, are you still having trouble with this?

darrenybarra commented 1 year ago

@tannerabread I just ran into this issue today trying to set up Okta OIDC authentication via Cognito. I'm getting the same error but not sure how to fix it.

tannerabread commented 1 year ago

@darrenybarra Before I dive too deep into this, check out this comment on a similar issue and this comment along with the thread below it. That seemed to fix a lot of people's issues in the past and then some people didn't properly configure amplify within their app

tannerabread commented 1 year ago

@darrenybarra Was that helpful in solving your issue or should I investigate further?

tannerabread commented 1 year ago

Hi 👋 Closing this as we have not heard back from you. If you are still experiencing this issue and in need of assistance, please feel free to comment and provide us with any information previously requested by our team members so we can re-open this issue and be better able to assist you.

Thank you!